And what would change if they are?
Would that atract new OEMs to make HW with sailfih? No.
Would that made carriers to support it? No.
Would that made 183643 new developers? No. And particulary BIG NO since from inception for some misterious reasons Jolla does not support paid apps and does not won't people to make money on their work. Meanwhile, I just paid 80€ to sygic a few days ago so that I can have mirrorlink function within their nav app.
Would that made various different 3rd party apps that we need or use on a daily basis or here and there, but still use, on other platforms suddenly appear on sailfish? No.

Signal is apparently way better option than Telegram because it's fully open........But AFAIK they don't allow access to 3rd party apps. So how is that better than any closed source app?

There's 66538 different problems with Jolla and sailfish but a few closed source components are not one of those.

So Jolla will oversee any code going back in to SailfishOS to maintain independent offering. Leaking code is probably prohibited by commercial contracts.

This doesn't mean that any 3rd party with source code access could omit telling Jolla about found security bugs and use these as backdoors.

Also an NDA doesn't guarantee that source code won't get leaked even trough it's prohibited. Just look at the recent leak of iBoot code.

As I've understood from your picture Jolla doesn't have access to Sailfish RUS specific source code meaning backdoors could be inserted without Jollas knowledge. Only into the RUS specific version though.

This doesn't mean that any 3rd party with source code access could omit telling Jolla about found security bugs and use these as backdoors.

Also an NDA doesn't guarantee that source code won't get leaked even trough it's prohibited. Just look at the recent leak of iBoot code.

As I've understood from your picture Jolla doesn't have access to Sailfish RUS specific source code meaning backdoors could be inserted without Jollas knowledge. Only into the RUS specific version though.

That'd be a GPL violation right there. Which translates into a higher risk for the players (for example the RUS specific version).

Bottomline : get caught with your pants down, and it's trouble

EDIT : this for the OPEN components. It might actually be that Jolla will be forced to open up the (remaining) closed ones for security validation.